Ask Leo: Beware of the New Phishing Holes

Opening Phishing Holes with New Top-Level Domains

By Leo Notenboom

You’re used to seeing domains ending in .com, .net, and many other of what are called the top-level domains.

But … .bank? .microsoft? .paypal?

Perhaps even .leo? .askleo?

ICANN, the Internet Corporation for Assigned Names and Numbers, is in the process of rolling out the ability to purchase your own top level domain. It’s not cheap (you won’t be seeing .askleo any time soon), but it is happening.

Unfortunately, one of the expected side effects is a massive increase in phishing attempts. And if you’re not careful, you could fall victim.

New top-level domains

The concept is very simple: there’s no technical reason that the internet should be limited to domains that all end in one of a small set of tightly controlled top-level domains or TLDs.

They are somewhat useful – aside from the ubiquitous .com, .net, and other generic TLDs (gTLD) – most of the existing TLDs be used to identify the country of registration. Even though some countries don’t restrict registration (Bit.ly, for example, is not related to Libya, and about.me has nothing to do with Montenegro), many, if not most, do.

But those are all standards of convenience – there’s really no technical reason that TLDs need to be limited to only that set.

And, beginning this year, they won’t be.

For the modest sum of $185,000 US, you can apply for a new, generic top-level domain (there is an application process and certain requirements must be met).

Assuming that you are successful and gain ownership of that domain, then you control what happens on that entire top level domain. Were I to own .leo then I could create ask.leo as a domain for my website or mail. (Don’t worry, I don’t have a spare $185,000 to do it.)